diff options
author | Michael Catanzaro <mcatanzaro@igalia.com> | 2019-06-27 16:58:03 -0500 |
---|---|---|
committer | Michael Catanzaro <mcatanzaro@igalia.com> | 2019-06-27 16:58:03 -0500 |
commit | d83587b2a364eb9a9a53be7e6a708074e252de14 (patch) | |
tree | 54849e0ba8f513bd583225fb3214352cc4398fda | |
parent | f586fa04c1bf5247cfecfecbf243655694452417 (diff) | |
download | gvdb-d83587b2a364eb9a9a53be7e6a708074e252de14.tar.gz |
Fix gvdb_table_write_contents_async()
It worked when I first wrote it, but I broke it during the late stages
of code review. str is already freed here, so this is a use-after-free
vulnerability for starters. It also causes the file saved to be always
empty.
-rw-r--r-- | gvdb-builder.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/gvdb-builder.c b/gvdb-builder.c index cf94691..e36e9ab 100644 --- a/gvdb-builder.c +++ b/gvdb-builder.c @@ -608,7 +608,9 @@ gvdb_table_write_contents_async (GHashTable *table, g_task_set_task_data (task, data, (GDestroyNotify)write_contents_data_free); g_task_set_source_tag (task, gvdb_table_write_contents_async); - g_file_replace_contents_async (file, str->str, str->len, + g_file_replace_contents_async (file, + g_bytes_get_data (bytes, NULL), + g_bytes_get_size (bytes), NULL, FALSE, G_FILE_CREATE_PRIVATE | G_FILE_CREATE_REPLACE_DESTINATION, cancellable, replace_contents_cb, g_steal_pointer (&task)); |